The cyber security industry evolved significantly in 2018, with aggressive new attackers emerging, according to the FireEye Mandiant ‘M-Trends 2019 Report’.

Encouragingly, however, organisations are getting better at responding to breaches quickly. Over the past eight years, dwell times have decreased significantly – from a median dwell time of 416 days in 2011 to 78 days in 2018.

Thirty-one percent of the breaches investigated by Mandiant last year had dwell times of 30 days or less, up from 28 percent of compromises in 2017. Twelve percent had dwell times greater than 700 days, down from 21 percent in 2017.

The report suggests that the increase in compromises detected in less than 30 days is due to greater use of ransomware and cryptominers over the last 12 months, which are detected faster. FireEye also believes that companies are improving their data visibility through better tooling, which allows for faster response times. In the Americas, the median dwell time fell from 75.5 days in 2017 to 71 days in 2018.

Nation states continue to pose an increasingly dangerous and evolving threat. The report identifies North Korea, Russia, China and Iran, among others, as the most threatening actors which are continually enhancing their capabilities and changing their targets in alignment with their political and economic agendas. The report suggests that significant investments have provided these actors with more sophisticated tactics, tools, and procedures, with some becoming more aggressive, and others better at hiding and staying persistent for longer periods of time.

There are a number of important steps companies must take if they are to resist attacks which are coming in increasingly diverse forms. Attackers are targeting data in the cloud, including cloud providers, telecoms and other service providers; they are re-targeting past victim organisations and are even launching phishing attacks during mergers & acquisitions (M&A) activity.

“By regularly reviewing and updating their incident Response Plans and associated use cases and playbooks, organisations can mitigate the risk of destruction of important evidence, failure to identify major breaches, and extending the duration of breaches,” notes the report. “Organisations should incorporate important concepts such as evidence preservation during remediation activities, context of alerts instead of simple volume metrics, and eradication timing into these documents. This will empower front line analysts to effectively escalate relevant information to decision makers and avoid costly mistakes.”